Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Ai Company Cmo
v3.0.0AI公司首席营销官(CMO)技能包。增长架构师与首席协同官。品牌战略、GEO引擎优化、需求生成、Agent化工作流、AI驱动永续增长引擎。
⭐ 0· 137·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, modules (GEO, Agentized workflows, KPI dashboards) and declared inter-skill dependencies (CEO/CFO/CPO) are coherent for an AI CMO skill. However, the manifest grants mcp permissions (sessions_send, subagents) that elevate its capability beyond what a conventional marketing advisory skill needs; this needs justification (the skill repeatedly references spawning/operating Agentized workflows, which explains it but also increases privilege).
Instruction Scope
SKILL.md is high-level, policy-and-process oriented rather than a sequence of concrete runtime commands. It calls for integrating private knowledge bases, JSON-LD markup, and large-scale 'agentized' automation. There are no explicit instructions to read arbitrary system files or environment variables, but the high-level guidance gives the agent broad discretion to call external APIs, read/write files, or create subagents — behavior that could expand scope at runtime unless constrained by the platform.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk (nothing is downloaded or written by an installer). Static scanner had no code to analyze.
Credentials
The skill describes integrations with enterprise analytics and private knowledge bases but declares no required environment variables or primary credential. In practice those integrations typically require API keys or service credentials; the absence of declared credentials is a mismatch that could lead to the agent requesting user secrets at runtime or relying on platform/global credentials. The requested file and network permissions are reasonable for the stated integrations but should be tied to explicitly declared and limited credential needs.
Persistence & Privilege
always:false (good), but mcp permissions (sessions_send, subagents) allow spawning and communicating with subagents. Combined with file R/W and network api permissions this materially raises the blast radius — the skill could autonomously create many subagents that access files and external APIs. Autonomous invocation is enabled by default; the combination of subagent capability plus file/network access is the main privilege concern.
What to consider before installing
This skill appears to implement an AI-driven CMO role and is instruction-only (no installer or code), but you should not install it blindly. Before enabling it: 1) Ask the publisher to explain/justify the mcp permissions (why subagents/sessions are needed) and to document expected subagent behavior and limits. 2) Request a clear list of external integrations and the exact credentials the skill will need — prefer platform-managed, scoped credentials rather than pasting secrets into prompts. 3) If possible, test in a sandbox account that has no sensitive data and with network/file access restricted. 4) Limit or deny subagent creation if you don't want autonomous agents spawned; require human approval for subagent creation and outbound calls. 5) Verify the skill author/owner and prefer skills from known, auditable publishers. If these questions cannot be answered satisfactorily, treat the skill as high-risk and avoid granting broad file/network/mcp permissions.Like a lobster shell, security has layers — review code before you run it.
ai-companyvk975b41j8wmrgbsw7fcrxq6jh184sng2brand-positioningvk975b41j8wmrgbsw7fcrxq6jh184sng2c-suitevk97b7x4q1kht1k0y4np6d39qt184nh2xcmovk975b41j8wmrgbsw7fcrxq6jh184sng2demand-genvk975b41j8wmrgbsw7fcrxq6jh184sng2funnelvk975b41j8wmrgbsw7fcrxq6jh184sng2growthvk97b7x4q1kht1k0y4np6d39qt184nh2xlatestvk97enetms938nxt6vtr3w281t184vyw5marketingvk97b7x4q1kht1k0y4np6d39qt184nh2xmartechvk975b41j8wmrgbsw7fcrxq6jh184sng2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.